A blind SQL injection flaw exists in the "save_loan" action of ajax.php. The borrower_id POST parameter is insufficiently sanitized, permitting an authenticated attacker to inject arbitrary SQL. This could allow attacker to read, modify, or delete data from the loan database, potentially exposing sensitive borrower information or altering loan records. The weakness is identified as CWE-89, a classic input validation flaw common in web applications.

The vulnerability affects the SourceCodester Loan Management System version 1.0. No other product versions or vendors are listed; the CPE string identifies only this single version. The system is a web application that accepts borrower_id via POST to ajax.php.

The CVSS score of 5.4 indicates moderate severity. EPSS score is less than 1%, indicating low likelihood of exploitation at present. The vendor has not listed it in CISA KEV, but the risk exists for authenticated users who have permission to access the loan submission endpoint. Since the exploitation path requires authentication, the attack vector is likely internal or privileged access; an attacker with legitimate user credentials could trigger the vulnerable query. There is no publicly released exploit, but the blind nature means detection relies on behavioral observation rather than error messages.